# Configure Bastion Host Integration
Once IAM management is configured, you can enable secure SSH access to VMs in your Azure environment. This requires two parts:
* Bastion host configuration under the Azure integration (this page)
* [SSH access setup](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/install-ssh-access) under Integrations → SSH
{% hint style="warning" %}
Complete [IAM management](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/iam-management) before starting this step. The Bastion host configuration depends on the IAM permissions set up in the previous step.
{% endhint %}
## Prerequisites
Before setting up this integration, you must have an Azure Bastion host already deployed in your Azure environment. P0 does not create the Bastion host for you — it connects to an existing one.
If you have not yet deployed a Bastion host, see [Microsoft's Bastion deployment guide](https://learn.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal) to create one first.
Your existing Bastion host must meet the following requirements.
| Requirement | Details |
| ---------------- | ------------------------------------------------------------------------------------------------------ |
| SKU type | Must be **Standard** or **Premium** (Basic SKU is not supported because it does not support tunneling) |
| Tunneling | Must be **enabled** in the Bastion host configuration |
| IP configuration | Must have at least one IP configuration |
| Subnet | Must have an IP configuration with the **AzureBastionSubnet** subnet |
{% hint style="info" %}
If any of these requirements are not met, P0 displays a specific error message during setup indicating which requirement failed. Update your Bastion host configuration in the Azure Portal and retry.
{% endhint %}
## How subscription Bastion hosts work
P0 installs Bastion host configuration **per subscription**. Each subscription that needs SSH access must have a Bastion host component configured. P0 supports two configuration modes:
| Mode | Description | When to use |
| ----------------------------- | --------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
| **Single Bastion host** | Points directly to a Bastion host resource in the subscription | The subscription has its own Bastion host deployed |
| **Subscription Bastion host** | References another subscription that already has a single Bastion host configured | Multiple subscriptions share a single Bastion host deployed in a different subscription |
**Single Bastion host** is the default mode. Select this when your subscription contains its own Bastion host. You provide the Bastion host's Azure resource ID, and P0 validates it against the requirements listed above.
**Subscription Bastion host** allows you to reuse a Bastion host from another subscription. When you select this mode, P0 shows a dropdown of subscriptions that already have a single Bastion host configured. The selected subscription's Bastion host is used for SSH sessions in the current subscription.
{% hint style="info" %}
A subscription Bastion host can only reference a subscription with a **single** Bastion host. Chaining references (a subscription Bastion host pointing to another subscription Bastion host) is not supported.
{% endhint %}
## Permissions
During setup, P0 creates a custom Azure role scoped to the target subscription. This role grants P0 the minimum permissions needed to manage Bastion sessions.
**Role name:** `P0 Bastion Host Management - {subscriptionId}`
**Required permissions:**
| Permission | Purpose |
| ---------------------------------------------------------------- | ----------------------------------------------------------- |
| `Microsoft.Network/bastionHosts/read` | Read Bastion host configuration and status |
| `Microsoft.Network/bastionHosts/disconnectActiveSessions/action` | Disconnect active Bastion sessions during access revocation |
This role is assigned to the service principal created during [Azure app registration](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/azure-app-registration).
## Setup steps
1. In the **Azure** integration on [p0.app](https://p0.app), select **Bastion Host**.
2. Click **Add subscription**.
3. Select a subscription. Only subscriptions with [IAM management](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/iam-management) already installed appear in this list.
4. Run the Shell or Terraform steps to create the custom role and assign it to the P0 service principal.
{% tabs %}
{% tab title="Shell" %}
The shell commands:
1. Set the active subscription
2. Create the `P0 Bastion Host Management` custom role with the required permissions
3. Assign the role to the P0 service principal
{% endtab %}
{% tab title="Terraform" %}
The Terraform configuration:
1. Creates a `azurerm_role_definition` resource with the required permissions
2. Creates a `azurerm_role_assignment` resource assigning the role to the P0 service principal
{% endtab %}
{% endtabs %}
5. Select the Bastion host mode:
* **Single Bastion host** (default): Provide the Azure Bastion host resource ID. In the Azure Portal, go to the Bastions service, select your Bastion resource, and copy its Resource JSON to obtain the ID.
* **Subscription Bastion host**: Select from the dropdown of subscriptions that already have a single Bastion host configured.
{% hint style="info" %}
The Bastion host resource ID follows this format:
`/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupId}/providers/Microsoft.Network/bastionHosts/{bastionHostName}`
{% endhint %}
P0 validates the Bastion host against all requirements listed in the [Prerequisites](#prerequisites) section. If validation fails, you see a specific error message indicating which requirement was not met.
The Bastion host configuration is now complete.
## Troubleshooting
| Error | Cause | Resolution |
| --------------------------------------------------------------------------------------- | ------------------------------------------------------ | ----------------------------------------------------------------------- |
| "Azure bastion host must be of 'Standard' or 'Premium' type" | The Bastion host uses the Basic SKU | Upgrade the Bastion host to Standard or Premium SKU in the Azure Portal |
| "Azure bastion host must have tunneling enabled" | Tunneling is disabled on the Bastion host | Enable tunneling in the Bastion host configuration |
| "Azure bastion host must have at least one IP configuration" | The Bastion host has no IP configuration | Verify the Bastion host is configured correctly in the Azure Portal |
| "Azure bastion host must have an IP configuration with the 'AzureBastionSubnet' subnet" | The Bastion host is not attached to the correct subnet | Attach the Bastion host to a subnet named `AzureBastionSubnet` |
| "Custom role not found in subscription" | The shell or Terraform commands did not complete | Re-run the install commands from step 4 |
| "Custom role is not assigned to the App Client" | The role assignment was not created | Re-run the role assignment command from step 4 |
## Next step
Proceed to [Install SSH access control](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/install-ssh-access) to connect P0 to your Azure VMs.
.png?alt=media)
.png?alt=media)
.png?alt=media)